Examples with AccessControlList org.apache.hadoop.security.authorize.AccessControlList used on opensource projects

Example 1 with AccessControlList

use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.

the class TestApplicationACLs method verifyFriendAccess.

private void verifyFriendAccess() throws Exception {
    AccessControlList viewACL = new AccessControlList("");
    viewACL.addGroup(FRIENDLY_GROUP);
    AccessControlList modifyACL = new AccessControlList("");
    modifyACL.addUser(FRIEND);
    ApplicationId applicationId = submitAppAndGetAppId(viewACL, modifyACL);
    final GetApplicationReportRequest appReportRequest = recordFactory.newRecordInstance(GetApplicationReportRequest.class);
    appReportRequest.setApplicationId(applicationId);
    final KillApplicationRequest finishAppRequest = recordFactory.newRecordInstance(KillApplicationRequest.class);
    finishAppRequest.setApplicationId(applicationId);
    ApplicationClientProtocol friendClient = getRMClientForUser(FRIEND);
    // View as the friend
    friendClient.getApplicationReport(appReportRequest);
    // List apps as friend
    Assert.assertEquals("App view by a friend should list the apps!!", 3, friendClient.getApplications(recordFactory.newRecordInstance(GetApplicationsRequest.class)).getApplicationList().size());
    // Kill app as the friend
    friendClient.forceKillApplication(finishAppRequest);
    resourceManager.waitForState(applicationId, RMAppState.KILLED);
}

Example 2 with AccessControlList

use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.

the class TestApplicationACLs method verifyEnemyAccess.

private void verifyEnemyAccess() throws Exception {
    AccessControlList viewACL = new AccessControlList("");
    viewACL.addGroup(FRIENDLY_GROUP);
    AccessControlList modifyACL = new AccessControlList("");
    modifyACL.addUser(FRIEND);
    ApplicationId applicationId = submitAppAndGetAppId(viewACL, modifyACL);
    final GetApplicationReportRequest appReportRequest = recordFactory.newRecordInstance(GetApplicationReportRequest.class);
    appReportRequest.setApplicationId(applicationId);
    final KillApplicationRequest finishAppRequest = recordFactory.newRecordInstance(KillApplicationRequest.class);
    finishAppRequest.setApplicationId(applicationId);
    ApplicationClientProtocol enemyRmClient = getRMClientForUser(ENEMY);
    // View as the enemy
    ApplicationReport appReport = enemyRmClient.getApplicationReport(appReportRequest).getApplicationReport();
    verifyEnemyAppReport(appReport);
    // List apps as enemy
    List<ApplicationReport> appReports = enemyRmClient.getApplications(recordFactory.newRecordInstance(GetApplicationsRequest.class)).getApplicationList();
    Assert.assertEquals("App view by enemy should list the apps!!", 4, appReports.size());
    for (ApplicationReport report : appReports) {
        verifyEnemyAppReport(report);
    }
    // Kill app as the enemy
    try {
        enemyRmClient.forceKillApplication(finishAppRequest);
        Assert.fail("App killing by the enemy should fail!!");
    } catch (YarnException e) {
        LOG.info("Got exception while killing app as the enemy", e);
        Assert.assertTrue(e.getMessage().contains("User enemy cannot perform operation MODIFY_APP on " + applicationId));
    }
    rmClient.forceKillApplication(finishAppRequest);
}

Example 3 with AccessControlList

use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.

the class AppPriorityACLConfigurationParser method getPriorityAcl.

public List<AppPriorityACLGroup> getPriorityAcl(Priority clusterMaxPriority, String aclString) {
    List<AppPriorityACLGroup> aclList = new ArrayList<AppPriorityACLGroup>();
    Matcher matcher = Pattern.compile(PATTERN_FOR_PRIORITY_ACL).matcher(aclString);
    /*
     * Each ACL group will be separated by "[]". Syntax of each ACL group could
     * be like below "user=b1,b2 group=g1 max-priority=a2 default-priority=a1"
     * Ideally this means "for this given user/group, maximum possible priority
     * is a2 and if the user has not specified any priority, then it is a1."
     */
    while (matcher.find()) {
        // Get the first ACL sub-group.
        String aclSubGroup = matcher.group(1);
        if (aclSubGroup.trim().isEmpty()) {
            continue;
        }
        /*
       * Internal storage is PriorityACLGroup which stores each parsed priority
       * ACLs group. This will help while looking for a user to priority mapping
       * during app submission time. ACLs will be passed in below order only. 1.
       * user/group 2. max-priority 3. default-priority
       */
        AppPriorityACLGroup userPriorityACL = new AppPriorityACLGroup();
        // userAndGroupName will hold user acl and group acl as interim storage
        // since both user/group acl comes with separate key value pairs.
        List<StringBuilder> userAndGroupName = new ArrayList<>();
        for (String kvPair : aclSubGroup.trim().split(" +")) {
            /*
         * There are 3 possible options for key here: 1. user/group 2.
         * max-priority 3. default-priority
         */
            String[] splits = kvPair.split("=");
            // Ensure that each ACL sub string is key value pair separated by '='.
            if (splits != null && splits.length > 1) {
                parsePriorityACLType(userPriorityACL, splits, userAndGroupName);
            }
        }
        // handle here.
        if (userPriorityACL.getMaxPriority().getPriority() > clusterMaxPriority.getPriority()) {
            LOG.warn("ACL configuration for '" + userPriorityACL.getMaxPriority() + "' is greater that cluster max priority. Resetting ACLs to " + clusterMaxPriority);
            userPriorityACL.setMaxPriority(Priority.newInstance(clusterMaxPriority.getPriority()));
        }
        AccessControlList acl = createACLStringForPriority(userAndGroupName);
        userPriorityACL.setACLList(acl);
        aclList.add(userPriorityACL);
    }
    return aclList;
}

Example 4 with AccessControlList

use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.

the class QueueConfigurationParser method createHierarchy.

/**
   * @param parent Name of the parent queue
   * @param queueNode
   * @return
   */
private Queue createHierarchy(String parent, Element queueNode) {
    if (queueNode == null) {
        return null;
    }
    //Name of the current queue.
    //Complete qualified queue name.
    String name = "";
    Queue newQueue = new Queue();
    Map<String, AccessControlList> acls = new HashMap<String, AccessControlList>();
    NodeList fields = queueNode.getChildNodes();
    validate(queueNode);
    List<Element> subQueues = new ArrayList<Element>();
    String submitKey = "";
    String adminKey = "";
    for (int j = 0; j < fields.getLength(); j++) {
        Node fieldNode = fields.item(j);
        if (!(fieldNode instanceof Element)) {
            continue;
        }
        Element field = (Element) fieldNode;
        if (QUEUE_NAME_TAG.equals(field.getTagName())) {
            String nameValue = field.getTextContent();
            if (field.getTextContent() == null || field.getTextContent().trim().equals("") || field.getTextContent().contains(NAME_SEPARATOR)) {
                throw new RuntimeException("Improper queue name : " + nameValue);
            }
            if (!parent.equals("")) {
                name += parent + NAME_SEPARATOR;
            }
            //generate the complete qualified name
            //parent.child
            name += nameValue;
            newQueue.setName(name);
            submitKey = toFullPropertyName(name, QueueACL.SUBMIT_JOB.getAclName());
            adminKey = toFullPropertyName(name, QueueACL.ADMINISTER_JOBS.getAclName());
        }
        if (QUEUE_TAG.equals(field.getTagName()) && field.hasChildNodes()) {
            subQueues.add(field);
        }
        if (isAclsEnabled()) {
            if (ACL_SUBMIT_JOB_TAG.equals(field.getTagName())) {
                acls.put(submitKey, new AccessControlList(field.getTextContent()));
            }
            if (ACL_ADMINISTER_JOB_TAG.equals(field.getTagName())) {
                acls.put(adminKey, new AccessControlList(field.getTextContent()));
            }
        }
        if (PROPERTIES_TAG.equals(field.getTagName())) {
            Properties properties = populateProperties(field);
            newQueue.setProperties(properties);
        }
        if (STATE_TAG.equals(field.getTagName())) {
            String state = field.getTextContent();
            newQueue.setState(QueueState.getState(state));
        }
    }
    if (!acls.containsKey(submitKey)) {
        acls.put(submitKey, new AccessControlList(" "));
    }
    if (!acls.containsKey(adminKey)) {
        acls.put(adminKey, new AccessControlList(" "));
    }
    //Set acls
    newQueue.setAcls(acls);
    for (Element field : subQueues) {
        newQueue.addChild(createHierarchy(newQueue.getName(), field));
    }
    return newQueue;
}

Example 5 with AccessControlList

use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.

the class QueueManager method dumpConfiguration.

/**
   * method to perform depth-first search and write the parameters of every 
   * queue in JSON format.
   * @param dumpGenerator JsonGenerator object which takes the dump and flushes
   *  to a writer object
   * @param rootQueues the top-level queues
   * @throws JsonGenerationException
   * @throws IOException
   */
private static void dumpConfiguration(JsonGenerator dumpGenerator, Set<Queue> rootQueues) throws JsonGenerationException, IOException {
    for (Queue queue : rootQueues) {
        dumpGenerator.writeStartObject();
        dumpGenerator.writeStringField("name", queue.getName());
        dumpGenerator.writeStringField("state", queue.getState().toString());
        AccessControlList submitJobList = null;
        AccessControlList administerJobsList = null;
        if (queue.getAcls() != null) {
            submitJobList = queue.getAcls().get(toFullPropertyName(queue.getName(), QueueACL.SUBMIT_JOB.getAclName()));
            administerJobsList = queue.getAcls().get(toFullPropertyName(queue.getName(), QueueACL.ADMINISTER_JOBS.getAclName()));
        }
        String aclsSubmitJobValue = " ";
        if (submitJobList != null) {
            aclsSubmitJobValue = submitJobList.getAclString();
        }
        dumpGenerator.writeStringField("acl_submit_job", aclsSubmitJobValue);
        String aclsAdministerValue = " ";
        if (administerJobsList != null) {
            aclsAdministerValue = administerJobsList.getAclString();
        }
        dumpGenerator.writeStringField("acl_administer_jobs", aclsAdministerValue);
        dumpGenerator.writeFieldName("properties");
        dumpGenerator.writeStartArray();
        if (queue.getProperties() != null) {
            for (Map.Entry<Object, Object> property : queue.getProperties().entrySet()) {
                dumpGenerator.writeStartObject();
                dumpGenerator.writeStringField("key", (String) property.getKey());
                dumpGenerator.writeStringField("value", (String) property.getValue());
                dumpGenerator.writeEndObject();
            }
        }
        dumpGenerator.writeEndArray();
        Set<Queue> childQueues = queue.getChildren();
        dumpGenerator.writeFieldName("children");
        dumpGenerator.writeStartArray();
        if (childQueues != null && childQueues.size() > 0) {
            dumpConfiguration(dumpGenerator, childQueues);
        }
        dumpGenerator.writeEndArray();
        dumpGenerator.writeEndObject();
    }
}